As part of Privacy Awareness Week 2017, the Australian Information and Privacy Commissioner is promoting the theme of Handle with Care. For businesses this is an opportunity to consider how they handle personal information and their security and information handling practices through the entire life cycle of personal information. This includes the handling of any transactions involving the transfer of personal information.

With data increasingly being seen as a valuable trading commodity, the sale and purchase of customer information is now big business and transactions relating to or involving databases that contain customer information are on the rise.

Databases can be acquired in many ways, including by:

  • the acquisition of a business that has collated a database; or
  • the direct sale and purchase of the database as a single asset.

When undertaking any transaction involving the transfer of a database containing personal information, parties need to ensure they have proper regard to the prospective application of the Privacy Act in undertaking due diligence and completing the transactions, including in preparing transaction documentation.

Here are a few pointers to consider, from a privacy perspective, when dealing with transactions involving databases:

1. Consider whether the database contains personal, sensitive or credit information: In any transaction involving the sale or purchase of a database, the first port of call is to determine whether the database in fact contains personal, sensitive or credit information as captured by the Privacy Act and Australian Privacy Principles (APPs). If that is the case, the Privacy Act and the APPs and their application to the transaction will need to be carefully considered. Determining whether data is personal information is not always straightforward. The Office of the Australian Information Commissioner has recently issued guidance on what could be "personal information" under the Privacy Act, which can be found here.

2. Be aware of steps you must take in any due diligence to comply with the Privacy Act and the APPs: Vendors and purchasers should take reasonable steps to protect personal information being handled during the course of a transaction. As a vendor, a database of information you have collected may be a key asset of your business and will likely come under the scrutiny of any prospective purchaser in the course of due diligence. As the collector of the information, remember that you remain responsible for the handling and disclosure of such information. For purchasers, remember that many obligations under the APPs stem from an entity 'collecting or holding' personal or credit information and your access to the information could, conceivably constitute such an act.

Reasonable steps to consider taking to maintain the integrity of personal and credit information during the due diligence process could include:

  • de-identifying the information that is being exchanged or disclosed as part of the due diligence process;
  • ensuring a purchaser only inspects, and does not take copies of, the information; and
  • ensuring that any information accessed or handled by a potential purchaser during the course of its review and the transaction is returned to the vendor or destroyed once it is no longer required.

3. Consider the extent of the consents given: When buying or selling a database, parties should consider whether the vendor has the necessary customer consents to sell the database or to grant prospective purchasers access to the information as part of a due diligence process. Consideration must be given to the consents that have been received from data subjects and the terms of the vendor's privacy policy. In some circumstances and depending on how information is disclosed or exchanged, a buyer may need to inform data subjects that it is disclosing their personal information. Remember that, by buying a database containing customer information, an entity that may not otherwise be covered by the APPs may become subject to the APPs .

4. Consider seeking suitable contractual warranties: Suitable warranties should form part of the terms of any agreement between the parties to a transaction involving the transfer of a database. These warranties should cover: the process by which personal information was collated; the level of consent from data subjects that has been obtained (or whether such consent was necessary); the future use of the database and the protection of the database going forward. While this will not absolve the parties of any obligations that might arise under the Privacy Act and the APPs, it may provide an avenue for damages or loss that may be suffered as a result of the other party's non-compliance.